Pages

Friday, July 24, 2015

Cars getting hacked. Bad code can kill.

Over the past week we've seen security researchers completely take control over a Jeep Cherokee while sitting in the comfort of their own home via the cellular network. Some of the things they were able to commandeer on the moving vehicle were: the breaks, steering wheel, speedometer, music, windshield wipers, door locks, etc. Pretty much they had complete control of the car while the reporter, who was driving the car, flew down the highway at 70mph at their mercy. You can watch the video here.Shortly afterwards Chrysler recalled over 1.4 million cars that were vulnerable to this exploit by sending the affected owners a software upgrade via USB drive in the mail. That's right, they pretty much sneaker-netted the software patch it via the post office. The owners of these recalled cars now need to upload the fix from the USB into a port on the dashboard.

There is so much wrong here and it's very concerning. Here are just a few issues:

Every automotive vendor is pushing to have their features deployed to production as fast as possible and aren't worried about security. Once again we're seeing the same problem plaque developers and their code. If you're not going to learn how to create secure code in this day and age, do us all a favor and pick a different profession.

If two reseachers were able to do this on a small budget, what could a nation state, criminal gang or terrorist accomplish? Imagine a gang that's able to control your cars and airplanes with nefarious intent. This is not good, we're not talking about your facebook account getting hijacked here. Peoples lives at risk with this exploit.

I'm still not for them presenting these types of vulnerabilities at Black Hat. Yes, they need to be fixed, but when peoples lives are at stake, releasing the code, even just a little bit, is all those with malicious intent need for a jump start. Creating videos like this are fine, because you got the results you were looking for, but releasing it to the public is not the most responsible way to go about it.